Identity thieves install spyware to monitor transactions from the inside

In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach sometime in 2008, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts.

Heartland is the sixth largest payment processor in the country, and specializes in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.

Federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company’s internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems.

“Heartland believes the intrusion is [now] contained,” reads the press release.

Actual damage assessments are still in progress, and the real question is just how much data the malware was able to capture. Heartland CFO and president Robert Baldwin, in an interview with, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.

Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its “recently acquired” Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.

The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.”

Late last month, various blogs reported a number of mysterious, fraudulent sub-25-cent transactions appearing on readers’ and bloggers’ credit card statements, coming from a nonexistent company called “Adele Services”. While it appears these events are unrelated, some consider the timing suspicious.

“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,” writes Ars Technica’s Joel Hruska, “but the timing is extremely coincidental. The December attacks were never successfully attributed to any single company or credit card, but instead affected a seemingly unrelated group of people.”

“Heartland may — and I do stress may — have been the hidden link between them,” he said.

"If you look at the last five years, if you look at what major innovations have occurred in computing technology, every single one of them came from AMD. Not a single innovation came from Intel." -- AMD CEO Hector Ruiz in 2007
Related Articles

Latest Blog Posts

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki